The packages which contained malicious code were named jdb.js and db-json.js respectively. They both had the same author. By description, both were supposed to be developer tools geared towards developers working with database applications and specifically JSON files.
Sonatype's investigation showed that the malicious code would be executed after the user had imported and installed the packages. The first task after that would be to gather basic information about the compromised system. The next step was to try to download and execute a binary which would later instal njRAt. NjRAT aka Bladabindi is a notorious remote access trojan (RAT) favored by many cybercriminals for spying and stealing information. The binary which would install njRAT was named patch.exe. The same file would also change the settings of the Windows firewall whitelisting the threat’s C2 server. Then the code would ping the server starting the download of the RAT.
Db-json.js was made to look harmless at first glance as it did contain functional code and it even had a real README page on npm. The file was advertised as a module which creates databases from JSON files. The catch was that, if a developer were to use db-json.js, the script would stealthily force jdb.js as a dependency and ultimately njRAT would still infiltrate the system.
The security team of npm issued alerts after the packages were removed. The alerts advised developers that, if they had installed any one of the two packages, their systems should be considered fully compromised. RAT infections are commonly considered severe security incidents because they can provide cybercriminals with full access to a compromised system. This isn’t the first time npm libraries have been used by bad actors to try to infect devices. Attempts to purposely distribute malware through malicious packages have been more common in the past few months.